TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 17
7.1.2 IDS/IPS
The security controls implemented by an IDS or IPS placed at the perimeter
depend on whether the IDS or IPS is placed on the “outside” (unprotected side)
or “inside” (protected side) of the perimeter firewall.
Note: Implementing the best practice of IDS outside the firewall and IPS
inside the firewall requires an additional TMS zl Module configured in
monitor mode to act as the IDS outside the firewall provided by the first
TMS zl Module that is also providing the IPS inside the firewall.
7.1.2.1 Outside the Perimeter Firewall
Commonly, an IDS placed outside the perimeter firewall is
configured for maximum sensitivity with all signatures and other
detection methods, e.g. anomalous specific protocol behavior and
anomalous IP behavior, enabled in order to provide security
administrators with a sense of the threat level outside the
perimeter where no protective security controls are deployed.
IPSs are not typically deployed outside the perimeter firewall as
they are designed to examine traffic that has already been pre-
screened by the perimeter firewall. While it is of course possible
to place an IPS outside of the firewall, it will have to perform the
intense examination required to determine whether to take
prevention actions on every packet coming into the perimeter
rather than only on those that have already been pre-screened by
the firewall. This is an ineffective use of resources as firewalls
are designed to be very efficient at screening packets with
relatively little use of CPU and memory resources to do so, while
IPSs must use a comparatively high amount of CPU and memory
resources to perform the intense examination of every packet
necessary to determine whether an intrusion prevention action
should be taken.
7.1.2.2 Inside the Perimeter Firewall
Controls typically implemented by IDSs or IPSs inside the
firewall at the perimeter include detecting (for IDSs) or preventing
(for IPSs) traffic patterns that match signatures for exposed
services, more generic protocol-specific anomalies for exposed
services and generally anomalous traffic patterns. For example:
SMTP-specific: Sendmail Mailing to Files, Sendmail
Bounce to Program, EXPN Overflow, MS SMTP DoS,
Sendmail DoS, Mail Forgery Check, Sendmail Relaying
Allowed, Exchange Malformed MIME Header, Klez
Virus, etc.
FTP-specific: Vulnerable GuildFTP, FTP Bounce
Check, Attempt to Write Beyond FTP Root, FTP